Connecting two mikrotik routers

Hi all,

I have two mikrotik routers. The first one is main router and is connected to the internet and the second router is connected with ethernet cable to the first one.

My question is, how can I ‘properly’ connect the two routers, so all hosts that connect to the second router can access internet through the first one ?

When I go under ip > neighbors I can see the second router, but the hosts connected to it can’t access internet.
Do I need to set a static route, routing protocol or something else between them ?

Thank you for your replies

Static route is the best answer.

If LAN behind R2 is 192.168.2.0/24 and R2 has address on LAN1 of 192.168.1.2, then in R1 you add route with destination=192.168.2.0/24 gateway=192.168.1.2 Also - make sure that your srcnat rule in R1 allows 192.168.2.0/24 to go on the Internet with nat.
e.g.
chain=srcnat out-interface=wan action=masquerade

and finally, make sure there is no nat on R2.

The cleanest solution is to make a “point to point” network between R1 and R2 so that R2 is not a member of the LAN of R1. If R2 is plugged into R1 on ether2, for example, make sure that ether2 is not part of the LAN bridge or master/slave switch settings.
Put a different IP on this link - R1 = 192.168.255.1/30 and R2 = 192.168.255.2/30
R1 add static route to 192.168.2.0/24 via 192.168.255.2
R2 default gateway is 192.168.255.1

Internet
^
|
V
R1 ---> (LAN1=192.168.1.0/24)
^
|
V
R2 ---> (LAN2 = 192.168.2.0/24)

This is the cleanest solution because traffic from LAN2 to Internet does not go through LAN1, and you can make it have its own policy if you want in R1. It is easier to block / allow communication between LAN1 and LAN2 this way also. Another good thing about this is that it doesn’t rely on ICMP redirect from R1 to hosts in LAN1 which try to reach LAN2

Hi ZeroByte,

What do you mean by this, how can I check that ?

My R2 is currently connected to R1 on the ether3, so on the R1 I put an IP address of e.g. 192.168.255.1/30, and on the R2 I put an ip address of 192.168.255.2/30. Does the IP has to be set on both routers on ether3 ?

Many thanks

On R1 -
go into interfaces > ethernet, edit interface ether3, and make sure that master port is set to “none”
If the LAN interface is a bridge interface, go into bridge > ports and make sure that ether3 is not shown.
If it is there, just remove it.

You don’t specifically have to use ether3 on both sides. Just make sure that on R2, you use the 192.168.255.2/30 IP address on whichever interface you use to connect it to R1. I recommend using ether1 for this on R2, just so that in both routers, ether1 = upstream interface

Hi ZeroByte,

On R1 on ether3 interface I have put 192.168.255.1/30 address on which interface I connect R2 with ethernet cable.

On R2, on ether3 interface I have also put 192.168.255.2/30 address, and on ether5 interface on R2 I have configured network 10.5.0.0/24 on which I have connected one host.

On R1 under IP > Routes I have put a static route: Dst. Address: 10.5.0.0/24 and Gateway is 192.168.255.2.
On R2 under Dhcp-server > Networks under 10.5.0.0 network I put gateway of 192.168.255.1.

Is that ok ?

So my question is,
I have connected one host on ether5 on R2 which has network of 10.5.0.0/24 and R2 is connected through ether3 to R1 which is connected to internet. How can my host on ether5 on R2 through R1 access internet ?

Many thanks

You were doing great up until that point. The gateway should be the IP address R2 has on ether5, so if R2 is 10.5.0.1/24, then 10.5.0.1 is the gateway.

R2 needs to configure the default GW - just like your static route from R1 → 10.5.0.0/24, but on R2, destination is 0.0.0.0/0 and GW is 192.168.255.1

Last piece of the puzzle - Whatever rule R1 uses to do srcnat, make sure that it is not so specific that it won’t allow 10.5.0.0/24, and not so generic that it will srcnat between internal hosts.

I would have only one NAT rule in the entire table:
chain=srcnat out-interface=WAN action=masquerade

That one rule will make everything work the way it should - NAT towards Internet, leave IP alone on the inside.

Hi ZeroByte,

From my host connected to ether5 on R2 I can ping both 192.168.255.1 and 192.168.255.2, but I still can’t access anything from my browser.

Do I have to configure nat on R2 or do I need to disable firewall ?
What could be the problem.

Many thanks

If you can ping 192.168.252.1 from a 10.5.0.x host, then your routing is good inside your network.
You do not need nat on R2, and it is a bad idea to do so anyway.
double, tripple nat can break applications that work through a single nat.

Is DNS being assigned correctly on 10.5.0.x hosts? (sometimes, it’s something simple)

Otherwise, post firewall configs:

/ip firewall export compact